aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2023-02-07ipsec: fix AES CBC IV generation (CVE-2022-46397)stable/2009Benoît Ganne3-22/+72
For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix C). Chaining IVs like is done by ipsecmb and native backends for the VNET_CRYPTO_OP_FLAG_INIT_IV is fully predictable. Encrypt a counter as part of the message, making the (predictable) counter-generated IV unpredictable. Fixes: VPP-2037 Type: fix Change-Id: If4f192d62bf97dda553e7573331c75efa11822ae Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-05-27dpdk: disable i40evf in favor of iavf patchJuraj Linkeš1-0/+232
Fix an issue where multiple VPP instances with DPDK starting at the same time would not initialize VFs properly. This is done by using the iavf PMD (where the issue can't be reproduced) instead of the i40evf PMD. Type: fix Ticket: VPP-1943 Signed-off-by: Juraj Linkeš <juraj.linkes@pantheon.tech> Change-Id: Idcc48088c7d66a76da2b4675c02c7c115706c8b3
2021-04-21ikev2: test responder behind NATFilip Tehlar1-29/+49
Type: test Ticket: VPP-1903 Change-Id: I7fab6931833d6e253b7b921172825387302d8f70 Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit 027d813a509be0f30e05b48b888007b0094e4faf)
2021-01-22docs: vpp stateless traffic generatorDave Barach2-0/+106
Add a use-case writeup. Type: docs Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: Ib6e79e80455edbdeedcc96943dd98f16c57c559e (cherry picked from commit b8f6122b4f4c828dee103d1f3116d27e6e3e6f3a)
2021-01-14build: add missing openssl-devel package for centos-8 vpp-ext-depsDave Wallace1-1/+1
- In a new centos-8 installation, vpp-ext-deps fails on missing ssl.h header file after 'make install-deps'. Type: fix Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I521d817dd1f1e21aff427d98b9832ea7c7b89339
2020-12-21docs: update list of pluginsPaul Vinciguerra5-13/+81
The list of plugins is outdated. This change introduces a dynamically generated list of the plugins along with their descriptions, extracted directly from the sources. Type: docs Change-Id: Icb7b65e6b45289e257d71a1c18d10f62ced59cbe Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com> (cherry picked from commit 630ca994e0ff210a3de80d73bb395c931d2fd83f)
2020-12-18docs: fix missing quotes in ubuntu install instructionsPaul Vinciguerra1-5/+5
type: docs Change-Id: Ifa09b63924f4b7bf2719bba6ada0e1122407641c Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com> (cherry picked from commit ac9a585c6207ac876025f924aeb96ddcac8c8805)
2020-12-10nat: avoid hairpinning infinite loop problemElias Rudberg2-0/+100
Fix in nat44 hairpinning code to check if anything was actually changed in the snat_hairpinning() routine, and return 0 if nothing changed. This helps avoid an infinite loop repeating the three nodes nat44-hairpinning-->ip4-lookup-->ip4-local in case there was no change. Also add a corresponding test case. This is essentially a cherry-pick of change 30284 but the automatic cherry-picking did not work because of some filename changes. Type: fix Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net> Change-Id: I21a59ae7423f40abeff9fc0411330da58b3011f0
2020-12-08build: fix centos-8 'make install-deps' enable PowerTools repoDave Wallace1-1/+2
- The name of the powertools repo was changed [0] in centos-8 from 'PowerTools' to 'powertools'. Retrieve the correct name from 'dnf repolist all' instead of hard coding it. [0] https://git.centos.org/rpms/centos-repos/c/b759b17557b9577e8ea156740af0249ab1a22d70 Type: fix Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: Ic1402e671eb1d70dec429bab82ad18d8251f4eef (cherry picked from commit 1affb31ef528dcbc90b718bd70a9882a4225a385)
2020-12-02ikev2: fix nat traversalFilip Tehlar2-3/+48
Type: fix Change-Id: Ie723cf680745ec2292a15e2df05c1821436dba19 Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit 18107c974c24a708e309542d1dbf4a52acc70b08)
2020-11-30stats: missing dimension in stat_set_simple_counterOle Troan3-9/+27
A simple counter is a two dimensional array by threads and counter index. 28017 introduced an error missing the first dimension. If a vector is updated at the same time as a client reads, an invalid pointer my result. This will be caught by the optimistic locking after copying out the data, but if following a pointer outside of the stat segment then the stat client would crash. Add suitable boundary checks for access to stat memory segment. Fixes: 7d29e320fb2855a1ddb7a6af09078b8ed636de01 Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I94f124ec71d98218c4eda5d124ac5594743d93d6 (cherry picked from commit 65c56c83ce4e58178b5ad90a8f325692c9904381) Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
2020-11-26rdma: fixed UAR writing at txMohammed Hawari1-1/+1
Change-Id: Id81b4d27845c4e91cef90a4b8649662942d3cba1 Signed-off-by: Mohammed Hawari <mohammed@hawari.fr> Type: fix (cherry picked from commit 3ef653aa886e6a07afba106b4f03c40e392e1307)
2020-11-26ip-neighbor: Send API event when neighbor is removedNeale Ranns9-51/+210
Type: fix Signed-off-by: Neale Ranns <neale.ranns@cisco.com> Change-Id: I9952497a108bac26445af95c28d4eed46099c2fc
2020-11-26ikev2: better handling when no IKE DH configuredFilip Tehlar2-34/+161
Type: improvement Change-Id: I4289d20adaa3f2872889d5dbaafd9c025df8aca8 Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit e1ab06c14deaff5cc0870f7ec76f36613ffcc2d3)
2020-11-26ikev2: fix issue when sending multiple requests at onceFilip Tehlar2-20/+68
Type: fix Change-Id: I8ed556de4370a03d10c56cce101cd5ea0d0aaf8b Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit 38340fa32c96e9c6cb1593f03117dd504efbd5f4)
2020-11-26ikev2: respect punting only for ipv4Benoît Ganne1-1/+7
IPSec punting to IKEv2 is valid only for NAT-T in IPv4. Fix coverity CID 214915. Type: fix Change-Id: I6f2db38abf179565316f50c5d47c78acce3a0d01 Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit d9ed0b67866fa6b8a5f449fdb8da8d6aacb5f225)
2020-11-26ikev2: fix memleak when tunnel protect failsFilip Tehlar1-16/+35
Type: fix Change-Id: I1d278fc2b03b948c054ff1686315635ac0278ae8 Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit 727082016f8822edcf40662d0059d3e8fab5e2ef)
2020-11-26ikev2: add tests for DPDFilip Tehlar1-1/+62
Type: test Change-Id: I9c1129a8596344551f3f8f2e029846d22511482e Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit 2008e314537500975acbd666e38d3fa6e7261bf5)
2020-11-26ikev2: fix msg IDs generationFilip Tehlar1-14/+16
Type: fix Change-Id: Id922895c269f0d2450e55fcb6871b6857f443462 Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit f6b02e0d0bfd7e0f1d79e8ee426f48ca37ae5ff3)
2020-11-26ikev2: fix udp encapFilip Tehlar2-9/+23
Type: fix Change-Id: I8c66f79f2d8cfff7c6d45e1fc5b529ffb3941491 Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit 67b8a7fa76d8ec2d73f1b2380e11bf8e2793448e)
2020-11-26ikev2: add option to disable NAT traversalFilip Tehlar9-34/+154
Type: feature Ticket: VPP-1935 Change-Id: I705f84047b112279377590157a1c7b4a34f693d2 Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit d7fc12f07313f9147159f2562f6fcc928af7a963)
2020-11-26ikev2: fix reply during rekeyFilip Tehlar2-44/+192
Type: fix Change-Id: If87f4b8ae92508215fe91178958fe2ddb91e5a35 Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit 68ad6258374201ba8f0dc052e6f44d6250555249)
2020-11-26ikev2: increase tick interval in process nodeFilip Tehlar1-13/+2
This helps to resolve sporadic failures in unit tests. Type: fix Change-Id: I3abd77ed74310f9729a841e8569eafe6d7758dcb Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit 761f8f0eaaf43f38fdd9d160ba19ff833de7d210)
2020-11-26ikev2: cli for disabling dead peer detectionFilip Tehlar3-2/+30
Type: feature Change-Id: I0db0a9b2f872753fa64d27335838cb34645a9ee8 Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit af4a414eb74d1456121023e6b3aa76af6c16f89a)
2020-11-26ikev2: fix memory leakFilip Tehlar1-2/+7
Type: fix Change-Id: I33c38c791cc9a28898de402ae831c4862073eb2d Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit b8bc2f1ef3332a795880f11f1c45a77b1b7851f6)
2020-11-26ikev2: support sending requests from responderFilip Tehlar4-29/+146
Type: improvement Ticket: VPP-1894 Change-Id: I5a24a48416bca2ffbd346cdaa813fb25801e6c9b Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit edf2900ac633ae0d8575b04094b1bca40e1a221f)
2020-11-26ikev2: fix setting responder/initiator addressesFilip Tehlar4-67/+95
Type: fix Change-Id: Ic406aa914d92e802a5fb0f27c2ffa1b98db012b0 Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit ec112e5a9eb708c1ee85faf569fef6fa40178294)
2020-11-26ikev2: prevent crash after no IP addressFilip Tehlar1-196/+345
Type: fix Ticket: VPP-1900 This fixes a crash when initiating IKE connection using interface without any IP address. It also ensures that the IKE connection is automatically retried once the interface obtains an address. Signed-off-by: jan_cavojsky <Jan.Cavojsky@pantheon.tech> Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: Ia1919c349e64b3a0a4198365e075e177e3ba3de5 (cherry picked from commit 6960da528443ea40b1cdab323c76f978f7b16a8b)
2020-11-26ikev2: fix initial contact cleanupFilip Tehlar2-306/+562
When looking for existing SA connection to clean up search all per thread data, not only current one. Type: fix Change-Id: I59312e08a07ca1f474b6389999e59320c5128e7d Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit e7c8396982607634b4c747870499671ffa53868e)
2020-11-26ikev2: fix coverity warningFilip Tehlar1-5/+21
Type: fix Change-Id: Iee96b3ea3e71ec248c3c3c98d153a08372b5faf0 Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit dc6378f71bc7c9835845a91dbbc1646ea46df51e)
2020-11-26ikev2: fix memory leak in auth routineFilip Tehlar1-0/+4
Type: fix Change-Id: I93529b069925fcef32cdb22e27975b802b4c3b97 Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit 623d87fd39c53e2f4d8718014e76836fe07c4245)
2020-11-26ikev2: support ipv6 traffic selectors & overlayFilip Tehlar11-380/+695
Ticket: VPP-1917 Type: feature Change-Id: Ie9f22e7336aa7807b1967c48de9843df10fb575c Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit 84962d19ba76eafd5c7658aa86ec61c9b81f7702)
2020-11-26ikev2: refactor ikev2 nodeFilip Tehlar1-407/+359
Type: refactor Change-Id: I65acbd5d9724c500a24699de973df08016d9d8d6 Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit 3434cb8fe379791050a85617775bb518cdd0eb5d)
2020-11-26ikev2: better packet parsing functionsFilip Tehlar8-274/+620
Ticket: VPP-1918 Type: improvement Change-Id: I2bc3e30121697404dcd54f1c2127bd85ccc1029e Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit 558607dc3a96232191f413b9bc894524ff85f2a1)
2020-11-26ikev2: show IKE SA command improvementsFilip Tehlar1-95/+169
Ticket: VPP-1898 Type: improvement Change-Id: I1c56df331965c733a2d0eae63a12d5a4ee5a2e41 Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit 90690f1e8f39904990b4eeeb7851b248a9c908f3)
2020-11-26dns: use correct per-thread vlib_mainBenoît Ganne4-60/+63
Using vlib_main of another thread is prohibited. Type: fix Change-Id: I7ae294dfaf2526738e91408c9b4865ef9f801b8a Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit 7483a7272d15354486371be7a20c4bf35ab2eb38)
2020-11-26syslog: use per-thread vlib_mainBenoît Ganne2-5/+2
We should not use main thread vlib_main in workers. Type: fix Change-Id: I58c0a8cadf2dc7f768b20ac90e7ec7921e2e8ca4 Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit 0a2fde105a5a0c996333d67d2901b4eaedf7cbe1)
2020-11-25dns: fix double-unlockBenoît Ganne1-12/+0
dns cache should no longer be unlocked by caller. Type: fix Fixes: 84a563ae4050cc0389dcd438fbe9ea882f2b8404 Change-Id: I3708718ae8f00e4e4f4e04381caa0095c8494b82 Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit 2113c7f28b154df16af3637f67484971759a00a7)
2020-11-13crypto-native: fix multi-arch variant initializationRay Kinsella1-4/+0
crypto_native/main.h is being built as default, and crypto_native_main is initialized with a size of 64 bytes. crypto_native/aes_gcm.c and crypto_native/aes_cbc.c are march variants, their ICL variants are expecting crypto_native_main to be 256 bytes. Type: fix Signed-off-by: Georgii Tkachuk <georgii.tkachuk@intel.com> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Signed-off-by: Ray Kinsella <mdr@ashroe.eu> Change-Id: I4cddb75b712ea83c9cfca621887605d7bae104ec
2020-11-12ipsec: add support for tx-table-id in cli + exampleBenoît Ganne3-3/+89
Type: improvement Change-Id: I840741dfe040718b682935cdbcb0ba958d45a591 Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit 40aa27ef7cf63daa11974d0b06ea9ee1a102cb32)
2020-11-12feature: reset interface feature arc on interface deletionBenoît Ganne5-27/+65
When removing an interface we must reset all per-interface per-feature arc data to ensure we do not get wrong feature arc config data when the sw_if_index is recycled. Type: fix Change-Id: I8c9d850d7c62b7b77193da4258ab5fb9bdda85a6 Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit 6178bdafa6a318d50cc8ad82f07c6c798c7024ef)
2020-11-12af_xdp: fix NUMA node parsingBenoît Ganne1-11/+9
Non-NUMA systems might report -1 as NUMA node. Type: fix Change-Id: I092c817ea670009d6f530cc70ad13d45e15fd363 Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit 4317b8efb1c4a4163b2585b9abd71ec38cd0862c)
2020-11-12wireguard: reset secret data before freeing itBenoît Ganne1-4/+4
Type: fix Change-Id: I880bdd55ae5da0b9775a3fb548d44512348a7bc6 Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit 2531d50101991011fb1c7755d48f11b41f092628)
2020-11-12vpp: fix main heap initBenoît Ganne1-4/+1
NUMA node parsing with vlib_get_thread_core_numa() can failed on single socket systems. Use clib_get_current_numa_node() instead as we already pinned the main thread to the requested core. Type: fix Change-Id: I22339516d0305689a58584c92ded7c96eb53be39 Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit 33ce5e568f8b4fb1254bf5ee32865e9443c0185a)
2020-11-12ipsec: fix unformat typesBenoît Ganne1-2/+2
ipsec_{crypto,integ}_alg_t are packed and smaller than u32. Callers are using those enums so unformat functions should too instead of u32 to not overflow the stack. Type: fix Change-Id: Ifc86366f1928ca6352f06f390a88ac64668289d5 Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit f6422ffbc82c55f50d06c8c7a2e230db7001ee35)
2020-11-12svm: fix fifo unit testBenoît Ganne1-4/+6
- fix fifo initialization overflowing chunk size - stick to the default base virtual address to initialize fifo. ASAN can be picky about address space Type: fix Change-Id: If9a29138d2c207859d72845e928290c808c4a982 Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit 07b94558087facbb16c0fa82a79fcbbd9b44c485)
2020-11-12ikev2: fix cli memory leakBenoît Ganne1-30/+40
Type: fix Change-Id: Ibdd83fa336427ec0c66224ecebb1b6bd36d1d1ba Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit 1f6a6b8b2b4efd4d6735ffd6fa683a0190f232e2)
2020-11-12rdma: add RSS support for IPv6 and TCPBenoît Ganne2-32/+58
Type: feature Change-Id: I8b0d918e6f13325954b29bf34e4ef224c1315c51 Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit 91603958d1d4fc3114739f9b264808940942e5c8)
2020-11-12build: better detection of libbpf dependenciesBenoît Ganne1-4/+6
Type: fix Change-Id: Ib496e6eb0a76e6268aea09d5f4495f3ecd921ec2 Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit 24b5107edd21b191fac3d6f9f2ae58c6ede59a9e)
2020-11-12af_xdp: add option to claim all available rx queuesBenoît Ganne6-38/+55
Type: feature Change-Id: I97176c2c90ea664a68078b3a7b7d44eb237a7f13 Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit d4e109138279fcfbfce9d82384f0fa53b8f43ae1)